Securing arbitrary communication services

ABSTRACT

The present invention relates to securing information in open systems and more particularly to a method and a system for providing authentication, confidentiality and integrity protection of arbitrary communication services. A client that wishes to communicate with a particular service downloads a signed program code from that service containing code necessary for doing authenticated key exchange with that service. The client is assumed to support only two basic cryptographic functions: signing of arbitrary data by using a public key algorithm together with a one way hash function, and verifying a public key signature of arbitrary data. By allowing the security protocol needed for key exchange and data communication protection to be downloaded the number of predefined security functions that a client or server needs to support is limited. This also makes it much easier to update the communication protection since only the server program needs to be updated.

FIELD OF INVENTION

[0001] The present invention relates in general to securing informationin open communication systems, and more particularly to a method and asystem for providing authentication, confidentiality and integrityprotection of arbitrary communication services.

DESCRIPTION OF RELATED ART

[0002] In open communication systems there is a need of securing theinformation. This includes authentication of the communication peers andconfidentiality and integrity protection of the data. Authenticationimplies that some means has been provided to guarantee that the entitiesare who they claim to be, or that the information transmitted has notbeen manipulated by unauthorized parties. Confidentiality basicallyimplies that no unauthorized entity is able to read our message and dataintegrity ensures that our message has not been altered and that thewhole message stream comes from the same source and that the wholemessage stream goes to the same destination.

[0003] Solutions to these types of problems come from cryptographicresearch. Typically a cryptographic algorithm is a function that has onevalue that should be kept secret or should be protected as input andanother secret value as input. The secret value is often called a secretkey of the algorithm. Many modern secure communication systems uses wellknown cryptographic algorithms and the security is not based on thealgorithm itself but on a secret key. The assumption that only theactual key is kept secret from the adversary is called Kerkhoff'sassumption. The Kerkhoff's assumption is important in open communicationsystems like the Internet, where devices from many different vendors atmany different locations needs to inter-operate. It is much easier tomake the communication work if the methods of how to process the data ispublicly known. Hence, all Internet communication security techniquesare built on Kerkhoff's assumption i.e. well known cryptographicalgorithms with the security based on secret key values.

[0004] In order to set up a secure communication channel there must besome predefined protocol that describes which messages that should beexchanged between the communication peers. A necessary step in securinga communication system is to provide authenticated key exchange.Typically a key exchange is done by using a public key algorithm, e.g.the Diffie-Hellman (DH) algorithm, used in e.g. the Internet KeyExchange Protocol (IKE), the Transport Layer Security protocol (TLS) andthe Secure Shell Protocol (SSH), or the Rivest-Shamir-Adleman(RSA)-algorithm, used in e.g. TLS.

[0005] In open security protocols like SSH, TLS and Internet ProtocolSecurity (IPsec)/IKE, public key algorithms are used to digitally signdata or to do key exchange. Several different public key signaturemethods as well as key exchange methods might be used. The basicprotocol that is used to encrypt payload data and to add an integritycheck tag is very similar in the protocols. However, the authenticationprocedure, the key exchange and the different symmetric algorithmssupported in the protocols differ substantially. Hence, a problem isthat at least one of the communication peers must support a very largenumber of different cryptographic algorithms and security options if twounits without a predefined secure relation should be able tointer-operate securely. Furthermore, the large number of differentoptions make the key negotiation protocols very large and complex, andsimply hard to implement.

[0006] In U.S. Pat. No. 5,892,904 is described a method that ensuresauthenticity and integrity of a computer program, an executable file, orcode received over a computer network, e.g. the Internet. In oneembodiment the method involves determining a cryptographic digest or“hash” of the executable file and forming a publisher signature with thecryptographic digest. The publisher signature is formed with apublic-private key signature algorithm such as the RSA(Rivest-Shamir-Adleman) public key algorithm, as is well known in theart. A publisher digital certificate is attached to the publishersignature to authenticate the identity of the publisher issuing thepublisher signature. The digital certificate includes the softwarepublisher's name, a public key corresponding to a private key used bythe publisher to sign the file, an expiration date of the certificate,and a link or hyperlink to the certification agency.

[0007] WO 99/56428 describes another secure method of downloading aprogram into a processor from a device external to the processor. Theprogram may be encrypted and have authentication information added toit. The processor decrypts and authenticates the program before allowingthe program to be executed by the processor.

[0008] WO 99/33224 discloses a method and system ensuring that a datastream including e.g. video- or audio data only can be received byauthorised receivers. The receivers can also prove the number ofreceived video- or audio data packets. This is done by encrypting everydata packet sent in the data stream and logging the number of decryptedpackets in the receiver.

[0009] None of these documents describe how a secure communicationchannel is established between two communication peers not having apredefined security relation. This is a common situation in e.g. ad hocnetworks, i.e. Bluetooth™, Salutation™, Jini™ etc. Thus, there is a needfor a method and system showing how to establish secure communicationbetween a client and an arbitrary communication service.

SUMMARY OF THE INVENTION

[0010] The present invention provides a solution to the problem ofsecuring a communication channel between two communication peers nothaving a predefined secure relation.

[0011] In state-of-the art protocols at least one of the communicationpeers must support a very large number of different cryptographicalgorithms and security options if two units should be able tointer-operate, making the key negotiation protocols large and complex.

[0012] One object of the invention is thus to provide a solution wherethe number of needed predefined cryptographic algorithms are as few aspossible.

[0013] Another object of the invention is to reduce the complexity ofthe key negotiation protocols depending on the number of supportedoptions and cryptographic algorithms.

[0014] Yet another object is to provide a solution where the problem ofexport restrictions is reduced.

[0015] The above mentioned objects are basically achieved by downloadingfrom a particular service, that a communication client wants tocommunicate with, a signed computer program (e.g. a Jini™ Proxy)containing the necessary algorithms for doing authenticated key exchangewith the server. Furthermore, the computer program contains thenecessary algorithms needed to encrypt and protect all data sent betweenthe client and the service in a secure service session.

[0016] More specifically the invention concerns a security communicationsituation where a communication client wants to communicate with aparticular service. The service can be reached by the client usingeither a global network such as the

[0017] Internet, a local network or even an ad hoc network, i.e. anetwork created on the fly between entities that happen to be at thesame physical location. It is also assumed that all units that utilisesthe service use a common computing platform, i.e. all units can downloadand execute a program written in a common language. An example of awidely deployed such computing platform and language is the Java™virtual machine and the Java™ byte code computing language. The clientis supposed to have only two pre-defined cryptographic capabilities; theability to digitally sign arbitrary data and the ability to verify adigital signature of arbitrary data.

[0018] The server that wants to offer a secure communication servicedigitally signs a computer program containing the necessary algorithmsfor authenticated key exchange with the server using its private key ina public key pair. The server packs the signed code together with thesignature and optionally also one or several certificates that certifythe public key of the server. The server's public key can then be usedto verify code signed by the server.

[0019] A client that wants to communicate with a service downloads overthe network the package with the signed code and a possible certificateand checks the signature of the downloaded package. If the client holdsa trusted public key that corresponds to the signature or the clienttrusts some of the public keys contained in the certificates includedthen the client treats the downloaded code as a trusted security code.

[0020] The security code is then executed on the common computingplatform of the client and can ask the client to perform one securityfunction if mutual authentication is desired. This function has as inputsome arbitrary data and as output a digital signature of the data plus aspecific label added by the client. The client might also return acertificate containing the public key that can be used by the service toverify signatures made by the client. The service code performsauthenticated key exchange with its origin server. If it succeeds itsets up a secure communication link with the server.

[0021] In a first embodiment of the invention the authenticated keyexchange is made more efficient by taking advantage of that the keyexchange code itself is signed and thereby saving one public keysignature generation, one public key signature verification and onetransmission between client and the server.

[0022] In a second embodiment of the invention the key exchange isseparated from the protection of the communication. The benefit withthat approach is that several different services can be protected usingone master key, instead of that each service must perform a heavy publickey exchange.

[0023] By allowing the security protocol code needed for key exchangeand data communication protection to be downloaded the number of neededpredefined security functions that a client or server need to support islimited. Instead the security is guaranteed by signing the security codeitself. This also makes it much easier to update the communicationprotection with new algorithms, since when there appears to be securityflaws in the protocol and the whole or parts of the protocol must berewritten it is only the server program that needs to be updated.

[0024] Since the necessary cryptographic functions needed by the clientare only signing and verification of signatures there is usually noproblem with export regulations, since these functions are normally notrestricted.

BRIEF DESCRIPTION OF THE DRAWINGS

[0025] These and other objects and advantages of the invention willbecome more fully apparent from the following detailed description whenread in conjunction with the accompanying drawings with like referencenumerals indicating corresponding parts, and wherein:

[0026]FIG. 1 shows the basic communication scenario;

[0027]FIG. 2 shows a flowchart of an embodiment of the invention; and

[0028]FIG. 3 illustrates an alternative communication scenario using akey exchange server.

DETAILED DESCRIPTION

[0029] Referring now to FIG. 1, the present invention will be describedin a security communication situation 100 where a communication client110 wants to communicate with a server 120 providing particularservices. The server 120 can be reached by the client 110 using a globalnetwork, e.g. the Internet, or a local communication network or even anad hoc network 130. Furthermore, it is assumed that all units thatutilises the services use a common computing platform 140, i.e. allunits can download and execute a computing program written in a commonlanguage. An example of a widely deployed such computing platform andlanguage is the Java™ virtual machine and the Java™ byte code computinglanguage. The unit offering the service, i.e. the server 120, has fullknowledge of the language and the common computing platform used bydifferent clients 110 in the network.

[0030] The invention will now be described using the Java™ Jini™technology as an example of a communication client wishing to connect toa communication service. The Java™ Jini™ technology makes computers anddevices able to quickly form ad hoc networks without any planning,installation or human intervention. Each device provides services thatother devices in the network may use. These devices also provide theirown interfaces, which ensures reliability and compatibility. Each deviceand service is registered in a lookup service, and when new devicesenter the network they go through an add-in protocol called discoveryand join. To use a service a person or a program locates the serviceusing the lookup service. The service's interface is copied from thelookup service to the requesting device where it will be used. Thelookup service thus acts like a switchboard to connect a client lookingfor a service with that service. It doesn't matter where a service isimplemented since compatibility is ensured because each service provideseverything needed to interact with it in a downloadable Jini™ proxy.

[0031] In a wireless ad hoc network trust is one of the centralproblems. Since we cannot trust the medium, the only choice is to usecryptography. One of the main problems is that we cannot assume anypre-configured security relations between the ad hoc nodes. Given thatall of the nodes in the ad hoc network have public key pairs, and thatall of the nodes consider the public keys of others' good for creatingsecure connections within the ad hoc network any public key basedauthentication can be used.

[0032] Different from standard approaches it is in this invention notassumed that the client and server necessarily share a large set ofdifferent symmetric key encryption or Message Authentication Code (MAC)algorithms. Instead it is assumed that the client has only twopredefined cryptographic capabilities:

[0033] The client can digitally sign arbitrary data by using a publickey algorithm together with a one way hash function; and

[0034] The client can verify the correctness of a public key signatureof arbitrary data. The algorithms used to sign the data are chosen amonga quite small amount of possible algorithms.

[0035] The software program or hardware used for signing or verifying asignature of arbitrary data is physically located in the client suchthat it can not be changed or manipulated by a hostile person. Thesoftware or hardware used for signing or verifying signatures does notcompletely need to use the common computing platform, e.g. can APIs(Application Program Interfaces) defined in the computing platform beused instead.

[0036] Using the cryptographic capabilities described above, a clientcan securely download a Jini™ proxy, and use the Jini™ proxy to executean authentication and key management protocol on its behalf. This givesa total freedom to utilise service dependent security solutions. Now afirst embodiment of the invention will be described referring to theflowchart of FIG. 2.

[0037] Before any communications are started, the server prepares aJini™ proxy that the clients can download. The server also signs theJini™ proxy; thereby allowing the clients to verify the integrity andorigin of the Jini™ proxy before the Jini™ proxy is executed. The Jini™proxy code typically includes a public key corresponding to a privatekey held by the server and methods needed for doing authenticated keyexchange with the server.

[0038] 1. A server that wants to offer secure communication holds acomputer program written in the computer language of the commonplatform, i.e. Java. In Jini™ terms, the server holds a Jini™ proxy. TheJini™ proxy contains the necessary algorithms and methods needed fordoing authenticated key exchange with the server. Furthermore, the proxycontains the necessary algorithms needed to encrypt and protect all datasent between a client and a server in a secure service session. However,the proxy does not necessarily contain all code needed to performcryptographic computation.

[0039] Instead, the proxy might use APIs defined in the common platform,if feasible.

[0040] 2. The server digitally signs the Jini™ proxy using its privatekey. The signature is calculated using the predefined algorithms andformats described above. This ensures that the client will be able toverify the signature.

[0041] 3. The server packs the signed code together with the signatureand optionally includes also one or more certificates that certify thepublic key of the server. The servers public key can be used to verifythe authenticity of the server.

[0042] In Jini™, and similar environments, a client looking for aservice starts the communication. Once the service is found, the clientdownloads the service proxy for execution, with the difference that theauthenticity of the service proxy is verified before starting itsexecution.

[0043] 4. A client search for a service using the Jini lookup service200.

[0044] 5. When the client finds the service and wants to use it, theclient downloads a proxy corresponding to the service, together withsignatures and optional certificates 210.

[0045] 6. The client verifies the signature of the downloaded datapackage. If the client holds a trusted public key that corresponds tothe signature, or the client trusts some of the public keys contained inthe certificates included, then the client treats the downloaded code asa trusted code 220.

[0046] 7. If the verification of the proxy is correct, the clientexecutes the downloaded code using the common computing platform.Runtime restrictions might be added as appropriate; especially, thedownloaded code does not need to be able to communicate with any otherserver but the designated 230.

[0047] The downloaded code can ask the client to create a signed ticketif mutual authentication is required. The client may refuse to performany other cryptographic functions. The ticket creation function takessome arbitrary data and outputs a ticket, which basically is a digitalsignature of the data plus a specific label added by the client. Thelabel is needed in order to make sure that the resulting item is alwaysrecognised as a ticket. The client might also return a certificatecontaining a public key that can be used to verify signatures made bythe client. The ticket label typically designates the service the clienthas requested the proxy for, and a time stamp. Before the client machinedigitally signs the data and the label, the label should be displayed tothe user of the client machine. The user might at that time refuse tosign the ticket. Thus the Jini™ proxy and the server can authenticateeach other as follows.

[0048] 8. The proxy performs authenticated key exchange with its originserver 240. The actual protocol used can basically be any standardauthentication and key exchange protocol, e.g. DH or RSA. The Jini™proxy might request a certificate from the client certifying the publickey for verifying the signature of ticket mentioned above. If theauthentication succeeds, the proxy sets up a secure communication linkwith the server 250.

[0049] The service provider that writes the security code can implementthe key exchange algorithm as it wishes, but should follow goodcryptographic principles. The security level thus, depends on thealgorithm used by the server.

[0050] In a first embodiment of the invention the fact that the keyexchange code itself is signed by the server is used to save one publickey signature generation and one public key signature verification andone transmission between the client and the server. This is possiblesince the signature of the key exchange code is checked prior to thereal key exchange. Hence authenticated information about the server'spublic key is already available to the client. For example ifDiffie-Heilman is used, the public key exchange value of the server canbe contained in the service code. Hence the key exchange can beperformed with one single transmission from the client to the server andwe save one transmission.

[0051] In a second embodiment of the invention, illustrated in FIG. 3,the key exchange is separated from the pure communication protection.The benefit with this approach is that several different services can beprotected using one group master key, instead of that each service mustperform a heavy public key exchange. Thus, instead of searching for aservice the client 300 searches for a key exchange server 310. Theclient 300 receives from the key exchange server 310 a group master keyand an identifier for that key. Later when the client 300 wants to use aservice in the same domain as the key exchange server was located, theclient search for a server 320 providing a service, downloads a packagefrom the server 320 and executes the package on the common computingplatform 330. The downloaded security code can ask the client 300 toperform one security function, which has the group master key identifieras input and as output the group master key. When doing the key exchangethe downloaded service code uses the group master key.

[0052] The invention has now been described using Jini™ technology as anexample but the only requirement on the nodes is that they support acommon computing platform, i.e. that all nodes in the ad hoc network candownload and execute programs written in a common language and theability to generate and verify signatures. The invention can e.g. alsobe used when setting up secure WAP (Wireless applicationprotocol)-services, i.e. by downloading a program code defining thesecurity algorithm.

[0053] The invention being thus described, it will be obvious that thesame may be varied in many ways. Such variations are not to be regardedas a departure from the scope of the invention, and all suchmodifications as would be obvious to one skilled in the art are intendedto be included within the scope of the following claims.

1. A method for setting up a secure communication channel between aclient and a server, the client and the server having a common computingplatform supporting digital signing and verification of arbitrary datathe method characterized by downloading from the server to the client adigitally signed data package containing procedures for doingauthenticated key exchange with the server; verifying in the client thedigital signature of the downloaded data package; and executing thedownloaded data package on said common computing platform if saidverifying is correct.
 2. The method of claim 1 further characterized bythe downloaded data package asking the client to perform a securityfunction having as input some arbitrary data and as output a digitalsignature of said data and a label added by the client, for mutualauthentication.
 3. The method of claim 2 characterized in that saidlabel is a text identifying the requested service and a time stamp. 4.The method of any of the preceding claims characterized in that saidcommon computing platform is the Java virtual machine and the Java bytecode computing language.
 5. The method of any of the preceding claimscharacterized in that said server is a key exchange server providing agroup master key for protecting communication with several services. 6.A system for setting up a secure communication channel between a clientand a server, the client and the server having a common computingplatform supporting digital signing and verification of arbitrary datathe system characterized by means for downloading from the server to theclient a digitally signed data package containing procedures for doingauthenticated key exchange with the server; means for verifying in theclient the digital signature of the downloaded data package; and meansfor executing said data package on the common computing platform if saidverification is correct.
 7. The system of claim 6 further characterizedin that said downloaded data package have means for asking the client toperform a security function having as input some arbitrary data and asoutput a digital signature of said data and a label added by the client,for mutual authentication.
 8. The system of claim 7 characterized inthat said label is a text identifying the requested service and a timestamp.
 9. The system of any of claims 6-8 characterized in that saidcommon computing platform is the Java virtual machine and the Java bytecode computing language.
 10. The system of any of claims 6-9characterized in that said server is a key exchange server having meansto provide a group master key protecting communication with severalservices.